Merge pull request #6761 from MicrosoftDocs/main

Publish to live, Monday 4 AM PST, 4/14

Author: ttorble

data-explorer/media/security-network-restrict-access/networking-public-access-selected-ip-addresses-service-tag-configured.png

@@ -8,7 +8,7 @@ ms.date: 11/18/2024
 
 # Create a managed private endpoint for Azure Data Explorer
 
-Managed private endpoints are required to connect to Azure resources that are highly protected. They're one-way private connections that allow Azure Data Explorer to connect to other protected services. In this article, you'll learn how to create a managed private endpoint and connect it to your data source.
+Managed private endpoints are an optional method to connect to Azure resources that are highly protected. They're one-way private connections that allow Azure Data Explorer to connect to other protected services. In this article, you'll learn how to create a managed private endpoint and connect it to your data source.
 
 > [!NOTE]
 > We recommend using Managed Identity connect to [Azure Storage](/azure/storage/common/storage-network-security?tabs=azure-portal#grant-access-to-trusted-azure-services) and [Azure Event Hubs](/azure/event-hubs/event-hubs-ip-filtering#trusted-microsoft-services) instead of managed private endpoints. To connect using managed identities, configure the Azure Storage or Event Hubs resources to recognize Azure Data Explorer as a trusted service. Then, use [Managed Identity](/azure/data-explorer/managed-identities-overview) to grant access by creating a network rule exception for trusted Azure services.

data-explorer/media/security-network-restrict-access/networking-public-access-selected-ip-addresses-service-tag-search.png

@@ -70,17 +70,18 @@ You can configure the selected IP addresses either through the Azure portal or b
 
 #### [Azure portal](#tab/portal)
 
-> [!CAUTION]
-> To configure [service tags](/azure/virtual-network/service-tags-overview#available-service-tags) use the **ARM template**.
-
 1. Go to your cluster in the [Azure portal](https://portal.azure.com/).
 1. Under **Security + networking** > **Networking** > **Public access**, select **Enabled from selected IP addresses**.
 
-    :::image type="content" source="media/security-network-restrict-access/networking-public-access-selectedIpAddresses.png" lightbox="media/security-network-restrict-access/networking-public-access-selectedIpAddresses.png" alt-text="Screenshot of the network configuration page, showing the enabled from selected IP addresses option without any address range configured.":::
+    :::image type="content" source="media/security-network-restrict-access/networking-public-access-selected-ip-addresses-service-tag.png" lightbox="media/security-network-restrict-access/networking-public-access-selected-ip-addresses-service-tag.png" alt-text="Screenshot of the network configuration page, showing the enabled from selected IP addresses option without any address range or service tag configured.":::
+
+1. Configure the Service Tags you want to allow to connect to the cluster.
+
+    :::image type="content" source="media/security-network-restrict-access/networking-public-access-selected-ip-addresses-service-tag-search.png" lightbox="media/security-network-restrict-access/networking-public-access-selected-ip-addresses-service-tag-search.png" alt-text="Screenshot of the network configuration page, showing the Service Tag search bar to configure the allowed service tags.":::
 
-1. Configure the IP addresses or CIDR ranges that you want to allow to connect to the cluster. 
+1. Configure the IP addresses or CIDR ranges that you want to allow to connect to the cluster.
 
-    :::image type="content" source="media/security-network-restrict-access/networking-public-access-selectedIpAddresses-configured.png" lightbox="media/security-network-restrict-access/networking-public-access-selectedIpAddresses-configured.png" alt-text="Screenshot of the network configuration page, showing the selected IP addresses specified for Enabled from selected IP addresses. They are specified as individual IP address and in CIDR notation.":::
+    :::image type="content" source="media/security-network-restrict-access/networking-public-access-selected-ip-addresses-service-tag-configured.png" lightbox="media/security-network-restrict-access/networking-public-access-selected-ip-addresses-service-tag-configured.png" alt-text="Screenshot of the network configuration page, showing the selected IP addresses specified for Enabled from selected IP addresses. They are specified as individual IP address and in CIDR notation. Additionally the selected Service tags are shown.":::
 
 1. Select **Save** to submit the configuration.